DO Ideas 2

Return the droplet's SSH public key as part of API droplet creation / query

Since I want to provision servers I want to be able to trust that I'm not getting MITM'ed. While I know I can trust the DigitalOcean response (because of HTTPS / certs) I don't know that I can trust the (generated) public key of my new droplet. By including the public key into the droplet response this can be avoided. Before connecting to a droplet for the first time I could query the API for the droplet's public key, then programatically add it to my HOSTS file, closing the trust loop.

  • Zach Aysan
  • Sep 11 2018
  • Attach files
  • allonhadaya commented
    September 11, 2018 16:43

    It would be nice if the public host key was also displayed on the website (maybe on the droplet access page)... This would help serve users who create droplets through the website with the same improvement in establishing trust.

    As a temporary hack, this can be already be done: open a terminal session on the web console, and print the public host key fp. This happens over HTTPS.

  • Hilton De Meillon commented
    September 11, 2018 16:43

    I have been asking for this for years now....such a supposedly easy thing to do with profound security implications if not done! Every time I start a droplet I have to :

    1) log into console and check ssh key
    2) accept the key in my local terminal

    Such a wasted opportunity for DO!

  • Zach Aysan commented
    September 11, 2018 16:43

    Because debugging is hard when you have slightly messed up a cloud-init script, I elected to inject the key with the following cloud-init script:

    { "runcmd" => ["rm /etc/ssh/etc/ssh/ssh_host_ecdsa*",
    "echo #{private_key} > /tmp/base64_pri && base64 --decode /tmp/base64_pri > /etc/ssh/ssh_host_ecdsa_key",
    "echo #{public_key} > /tmp/base64_pub && base64 --decode /tmp/base64_pub > /etc/ssh/",
    "chmod 600 /etc/ssh/ssh_host_ecdsa_key",
    "chmod 644 /etc/ssh/",
    "sleep 1 && service ssh restart"
    ] }

  • Zach Aysan commented
    September 11, 2018 16:43

    I suppose that a work around could be to use this: and a key registry of some kind or even just run a script to replace the generated keys with ones generated by the provisioning server.